SUSE SLED15 / SLES15 Security Update : sccache (SUSE-SU-2026:3022-1)

critical Nessus Plugin ID 327293

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:3022-1 advisory.

Update to version 0.15.0~17.

- CVE-2023-26964: hyper,h2: high resource consumption due to stream stacking when H2 component processes `HTTP2 RST_STREAM` frames (bsc#1210346).
- CVE-2024-32650: rust-rustls: infinite loop in `rustls::conn::ConnectionCommon:complete_io()` when processing client input network input (bsc#1223238).
- CVE-2025-3416: openssl: use-after-free in `Md::fetch` and `Cipher::fetch` (bsc#1242611).
- CVE-2026-25727: time: stack exhaustion in the RFC 2822 date parser when processing certain user provided input (bsc#1257923).
- CVE-2026-41676: openssl: short buffer overflow via `Deriver:derive` and `PkeyCtxRef:derive` when using OpenSSL 1.1.1 (bsc#1270206).
- CVE-2026-41677: openssl: out-of-bounds read in PEM password callback when returning an oversized length (bsc#1270559).
- CVE-2026-41678: openssl: OOB write due to incorrect bounds assertion in `aes::unwrap_key()` (bsc#1270693).
- CVE-2026-41681: openssl: stack corruption due to `MdCtxRef::digest_final()` writing past caller buffer with no length check (bsc#1270736).
- CVE-2026-41898: openssl: information leak to network peers due to unchecked callback-returned length in PSK and cookie generate trampolines (bsc#1270869).
- CVE-2026-42327: openssl: undefined behavior in `X509Ref::ocsp_responders` when processing certificates with non-UTF-8 OCSP URLs (bsc#1270512).
- CVE-2026-44662: openssl: heap buffer overflow when encrypting with AES key-wrap-with-padding (bsc#1270938).
- CVE-2026-45784: openssl: out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers (bsc#1270948).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected sccache package.

See Also

https://bugzilla.suse.com/1210346

https://bugzilla.suse.com/1223238

https://bugzilla.suse.com/1229955

https://bugzilla.suse.com/1242611

https://bugzilla.suse.com/1243868

https://bugzilla.suse.com/1257923

https://bugzilla.suse.com/1270206

https://bugzilla.suse.com/1270512

https://bugzilla.suse.com/1270559

https://bugzilla.suse.com/1270693

https://bugzilla.suse.com/1270736

https://bugzilla.suse.com/1270869

https://bugzilla.suse.com/1270938

https://bugzilla.suse.com/1270948

https://lists.suse.com/pipermail/sle-updates/2026-July/048310.html

https://www.suse.com/security/cve/CVE-2023-26964

https://www.suse.com/security/cve/CVE-2024-12224

https://www.suse.com/security/cve/CVE-2024-32650

https://www.suse.com/security/cve/CVE-2024-43806

https://www.suse.com/security/cve/CVE-2025-3416

https://www.suse.com/security/cve/CVE-2026-25727

https://www.suse.com/security/cve/CVE-2026-41676

https://www.suse.com/security/cve/CVE-2026-41677

https://www.suse.com/security/cve/CVE-2026-41678

https://www.suse.com/security/cve/CVE-2026-41681

https://www.suse.com/security/cve/CVE-2026-41898

https://www.suse.com/security/cve/CVE-2026-42327

https://www.suse.com/security/cve/CVE-2026-44662

https://www.suse.com/security/cve/CVE-2026-45784

Plugin Details

Severity: Critical

ID: 327293

File Name: suse_SU-2026-3022-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/16/2026

Updated: 7/16/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-41678

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-41681

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:sccache, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/15/2026

Vulnerability Publication Date: 4/11/2023

Reference Information

CVE: CVE-2023-26964, CVE-2024-12224, CVE-2024-32650, CVE-2024-43806, CVE-2025-3416, CVE-2026-25727, CVE-2026-41676, CVE-2026-41677, CVE-2026-41678, CVE-2026-41681, CVE-2026-41898, CVE-2026-42327, CVE-2026-44662, CVE-2026-45784

SuSE: SUSE-SU-2026:3022-1